Manage your Outsourcing Outcomes

A couple of days ago, an IS auditor found a stale user account in our financial system. A stale user account belongs to an employee who either changed jobs or has left the company. In either case, access is no longer required. The account in question belonged to a person no longer employed by our organization. With a little additional checking of our own, we found three more stale user accounts in the same system-accounts that should have been terminated within the last 60 days.

Failure to terminate accounts is a symptom of a process failure. Granted, we terminate between 550 and 600 accounts per month. But it only takes one unused account to provide under-the-radar access to an internal or external attacker. So which process broke down?

The first place we look when a stale account is found is our outsourced Help Desk. We provide a daily terminations list to them, and they manually work through a termination process. It would be easy to just point a finger at them with a hearty, "It's their fault." But placing blame doesn't fix the problem. And people are less likely to fully cooperate in a solution activity if they believe the personal outcome of providing their cooperation is less than desirable.

During a collaborative after action review, we found that the process used by the Help Desk was technically correct. However, the control used to ensure all terminations are effectively processed in the time specified in our service level objectives was broken. This was immediately fixed. If we took the position that we have no responsibility for termination errors, this would have been the end of the remediation activity. But we do have a responsibility to ensure that the processes and controls used by the Help Desk result in the desired outcomes.

Once we completed the process review and modification for the Help Desk, we switched our focus to our internal processes. My team took the stand that we are responsible for validating the outcomes we expect. In other words, we have to "inspect what we expect." Although we had controls in place to determine whether the service level objectives for outsourced processes were being met, they were not as effective as they should have been. So we modified our processes and controls to help us do a better job of providing vendor oversight.

When a process is outsourced, the responsibility for the process' outcomes still remains in house. The vendor doesn't have ultimate responsibility to protect the interests of customers, employees, or investors. That responsibility rests squarely on our shoulders. It's imperative that we develop strong processes to manage expected outcomes. Anything less should be considered negligence.

One final note-we plan to implement a provisioning system later this year. Although no solution is perfect, automated terminations and stale user account management will be a big step forward.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.